Disclosed. June 16, 2025: HackerOne Hai Beta, Project Discovery Bounty Templates, and a Hacker Content Call for Writers

Each week, 3 readers will win a 1-month PentesterLab Pro license, completely free. Refer a friend to the newsletter to enter.

Shout out to this week’s winners (I will email you):

bhavik_kanejiya
sumanthovs062
dexbugger

PentesterLab is one of the best hands-on platforms for learning web security, with real-world vulnerabilities, private labs, and practical exercises trusted by professionals and bug bounty hunters worldwide.

Huge thanks to PentesterLab for sponsoring this giveaway and supporting the Disclosed. community. ❤️

Opportunity: Join the Hacker Content Team as a Writer [🔗 Tweet]
by @hakluke

Join the Hacker Content team as a blog writer specializing in cybersecurity.
Read the full tweet →

Celebrating H16102 Award Winners [🔗 Tweet]
by HackerOne

Congratulations to the winners of various hacker awards at the Sydney Live Hacking Event, recognizing their significant contributions and collaborations.
Read more →

Bug Bounty Village Teases Something [🔗 Tweet]
by BugBountyDEFCON

👀
Read more →

Have something you want to Spotlight? Tell me.

Join the Beta for Hai: AI Security Agent for Hackers [🔗 Tweet]
by Jobert Abma

Participate in the beta testing for Hai, an AI-powered security agent tailored for hackers, with a limited number of spots available.
Read more →

Template Bounty Program [🔗 Blog]
by PDiscoveryIO

ProjectDiscovery has launched the Template Bounty Program, allowing community members to earn rewards for contributing valuable security templates. It’s a chance to support open-source efforts and gain recognition.
Read more →

Did I miss an important update? Tell me.

New Features in v5.8 of GAP Burp Extension Released [🔗 Tool]
by / XNL -н4cĸ3r

Version 5.8 of the GAP Burp Extension introduces enhancements to parameter lists and links discovery using modern JavaScript techniques.
Read more →

GitHub - Isira-Adithy/XSSpecter [📁 Tool]
By Isira-Adithy

XSSpecter is a modular toolkit for ethically testing Blind Cross-Site Scripting (XSS) vulnerabilities, featuring a CLI for automated payload spraying and a server for callback handling with a web dashboard.
Read more →

GitHub - RevoltSecurities/ZoomeyeSearch [📁 Tool]
by RevoltSecurities

ZoomeyeSearch is a command-line tool that leverages the ZoomEye search engine to assist in gathering intelligence on exposed services with extensive filtering and output options.
View the tool →

GitHub - Moopinger/smugglefuzz: [📁 Tool]
by Moopinger

SmuggleFuzz is a configurable HTTP scanner for identifying downgrade smuggling vulnerabilities, offering customizable scanning commands and detailed documentation for effective use.
View the tool →

Introducing SubWatch: Automated Subdomain Monitoring Tool [🔗 Tweet]
by Brut 🇮🇳
SubWatch automates subdomain monitoring with scheduled scans and alerts, aiding bug bounty hunters in their reconnaissance efforts.
Read more →

Have a favorite tool? Tell me.

Dependency Confusion Exploit Leads to RCE on Netflix [🔗 Blog]
by Lupin

A dependency confusion vulnerability discovered during collaboration between Assetnote and Depi results in remote code execution on Netflix.
Read the full blog →

Inside a Massive Healthcare Auth Bypass  [🔗 Blog]
by Mayur Pandya

Security researchers uncovered a critical flaw in a healthcare platform that allowed them to hijack over 2,000 tenant accounts by manipulating authentication methods and exploiting poorly implemented SAML logic, all without user interaction.
Read the full blog →

Did I miss an important update? Tell me.

New Features Now Available in my Bug Bounty Hunting Framework | Beta Launch @ DEFCON 33 [🎥 Video]
by rs0n_live

Explore the new features of the Arson Framework version two, launching as an open beta at DEFCON 33, aimed at enhancing bug bounty hunting workflows.
Watch video →

Exploring AI Vulnerabilities and Payout Insights [🔗 Tweet]
by Critical Thinking - Bug Bounty Podcast

This podcast episode concludes a series on AI vulnerabilities, discussing the underlying thought processes and associated payouts.
Read more →

Exploiting Cache Server Normalization for Web Cache Deception | PortSwigger Lab | Explained [🎥 Video]
by Medusa

Learn how to exploit web cache deception vulnerabilities through cache server normalization, with practical techniques using Burp Suite.
Watch video →

How I Find High-Value Bug Bounty Leads (2025) [🎥 Video]
by Ergosum

Discover effective strategies for identifying high-value bug bounty leads, focusing on manual reconnaissance and exploration techniques.
Watch video →

CyberHub: Bug Bounty for Beginners, First Bug to High Impact with Soufian El Habti [🎥 Video]
by cyberhub

Soufian El Habti shares practical insights into starting with bug bounty programs and navigating the cybersecurity landscape effectively.
Watch video →

Did I miss something? Tell me.

Harnessing Wayback Machine, web-archive recon | YesWeHack [📓 Blog]
by YesWeHack

Explore the use of web archives for reconnaissance in bug bounty hunting, emphasizing techniques for analyzing archived data.
Read more →

Server-Side Template Injection (SSTI): Exploitation Guide [📓 Blog]
by Intigriti

This guide provides a thorough understanding of SSTI vulnerabilities, offering insights into their exploitation and methods for bypassing protections.
Read more →

Dependency Confusion · Learn my offensive security tradecraft [📓 Blog]
by Ghostlulz

This article discusses the vulnerability in package managers that allows attackers to exploit naming overlaps for remote code execution.
Read more →

The Most Underrated 0-Click Account Takeover Using Punycode IDN Homograph Attacks [📓 Blog]
by coffinxp

This article examines IDN Homograph Attacks where similar-looking characters can lead to account takeovers, emphasizing the need for better security measures.
Read more →

Exploring the Controversial End of Bug Bounty Programs [🔗 Tweet]
by Joseph Thacker (rez0)

This blog post discusses varying perspectives on the future of bug bounty programs, sparking contemplations within the community.
Read more →

I Fooled the Filters: Homoglyph Username Bypass Vulnerability — An Overlooked Threat in Major Platforms [📓 Blog]
by Aman Bhuiyan

The post highlights how visually similar Unicode characters exploit username restrictions on major platforms, detailing risks and responses from companies.
Read more →

Did I miss something? Tell me.

Encoding Techniques to Bypass IP Validation [🔗 Tweet]
by André Baptista

Review various encoding methods for IP addresses that may bypass validation checks, including decimal and hexadecimal examples.
Read more →

Using Param Miner for Effective Cache Busting in Burp Suite [🔗 Tweet]
by sw33tLie

Learn how to use the $randomplz variable in Burp Suite's Param Miner for effective cache busting to improve testing efficiency.
Read more →

Changing User-Agent Header with cURL for Bypassing Filters [🔗 Tweet]
by HackingHub

Learn how to modify the User-Agent header using cURL to aid in bypassing filters or evading bot detection.
Read more →

Using Interactsh as an Alternative to Burp Suite Pro [🔗 Tweet]
by Coffin

Explore Interactsh, a user-friendly alternative for security testing compared to Burp Suite Pro.
Read more →

Quick Subdomain Profiling Technique Shared [🔗 Tweet]
by bugcrowd

Discover a recommended method for profiling subdomains effectively, with a link to a useful resource.
Read more →

Bypassing Cloudflare 403 for Time-Based Blind SQL Injection [🔗 Tweet]
by N$

Technique to bypass Cloudflare's 403 errors for executing time-based blind SQL injection exploits with specific payload examples.
Read more →

Exploring Encoding Variants for XSS Payloads [🔗 Tweet]
by Anton

Check various encoding types for XSS payloads, as filters may block certain characters but not their Unicode versions, enhancing exploitation possibilities.
Read more →

AI Technique Reveals Sensitive Info in Markdown Images [🔗 Tweet]
by Joseph Thacker

Discover a novel technique that exposes sensitive information in images through reference style Markdown links.
Read more →

Rediscover Key Bug Bounty Write-Ups from Top Hackers [🔗 Tweet]
by Intigriti

Explore compelling write-ups from skilled hackers that provide valuable insights into web security.
Read more →

Did I miss something? Tell me.

Because Disclosure Matters: This newsletter was produced with the assistance of AI. While I strive for accuracy and quality, not all content has been independently vetted or fact-checked. Please allow for a reasonable margin of error. The views expressed are my own and do not reflect those of my employer.